diff options
author | NIIBE Yutaka <gniibe@fsij.org> | 2022-06-24 08:59:31 +0900 |
---|---|---|
committer | NIIBE Yutaka <gniibe@fsij.org> | 2022-06-24 08:59:31 +0900 |
commit | 58c92098d053aae7c78cc42bdd7c80c13efc89bb (patch) | |
tree | be9dd3832930970789a04234d14c4e17104b3b72 | |
parent | 07722d89bac1a739b084b4412c3ff42e215d5968 (diff) | |
download | libgcrypt-58c92098d053aae7c78cc42bdd7c80c13efc89bb.tar.gz |
hmac,hkdf: Allow use of shorter salt for HKDF.
* cipher/md.c (prepare_macpads): Move the check to...
* src/visibility.c (gcry_mac_setkey): ... here.
* tests/t-kdf.c (check_hkdf): No failure is expected.
--
GnuPG-bug-id: 6039
Fixes-commit: 76aad97dd312e83f2f9b8d086553f2b72ab6546f
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
-rw-r--r-- | cipher/md.c | 3 | ||||
-rw-r--r-- | src/visibility.c | 3 | ||||
-rw-r--r-- | tests/t-kdf.c | 12 |
3 files changed, 4 insertions, 14 deletions
diff --git a/cipher/md.c b/cipher/md.c index 4f4fc9bf..34336b5c 100644 --- a/cipher/md.c +++ b/cipher/md.c @@ -903,9 +903,6 @@ prepare_macpads (gcry_md_hd_t a, const unsigned char *key, size_t keylen) { GcryDigestEntry *r; - if (fips_mode () && keylen < 14) - return GPG_ERR_INV_VALUE; - if (!a->ctx->list) return GPG_ERR_DIGEST_ALGO; /* Might happen if no algo is enabled. */ diff --git a/src/visibility.c b/src/visibility.c index c98247d8..aee5bffb 100644 --- a/src/visibility.c +++ b/src/visibility.c @@ -946,6 +946,9 @@ gcry_mac_setkey (gcry_mac_hd_t hd, const void *key, size_t keylen) if (!fips_is_operational ()) return gpg_error (fips_not_operational ()); + if (fips_mode () && keylen < 14) + return GPG_ERR_INV_VALUE; + return gpg_error (_gcry_mac_setkey (hd, key, keylen)); } diff --git a/tests/t-kdf.c b/tests/t-kdf.c index 4596c5c7..508e4bbe 100644 --- a/tests/t-kdf.c +++ b/tests/t-kdf.c @@ -1875,17 +1875,7 @@ check_hkdf (void) info, infolen, expectedlen, out); if (err) - { - if (in_fips_mode && saltlen < 14) - { - if (verbose) - fprintf (stderr, - " shorter salt (%lu) rejected correctly in fips mode\n", - saltlen); - } - else - fail ("HKDF test %d failed: %s\n", count, gpg_strerror (err)); - } + fail ("HKDF test %d failed: %s\n", count, gpg_strerror (err)); else if (memcmp (out, expected, expectedlen)) { fail ("HKDF test %d failed: mismatch\n", count); |